Shareware 1 2 the Maxx

home *** CD-ROM | disk | FTP | other *** search

/ Shareware 1 2 the Maxx / sw_1.zip / sw_1 / VIRUS / TBSCAN33.ZIP / TBSCAN.HLP < prev next >

Wrap

Text File | 1992-03-10 | 16KB | 418 lines

TBSCAN.HLP This file will be displayed if using the -help option of TbScan. This help is very comprehensive and does NOT replace the documentation! Program invokation: TBSCAN [@][<path>][<filename>]... [<options>]... Example: TBSCAN C:\ D:\ When no filename has been specified but only a drive and/or path, then the specified path will be used as top-level path.All its subdirectories will be processed too. When a filename has been specified then only the specified path will be searched. Subdirectories will not be processed. Wildcards in the filename are allowed although only executable files will be processed. If you want the non-executables to be processed too, then you have to specify the "-analyze" parameter in combination with the filename. "TBSCAN TEST.DAT" will always cause that no file will be processed: TEST.DAT is not an executable file. In this case you have to specify the -analyze parameter. You can also specify a list file to TbScan. A list file is a file that contains a list of paths/filenames to be scanned. Preceed the file with the character '@' on the TbScan command line: TBSCAN @TBSCAN.LST Command line and environment options: -help,-h=help (-? = short help) -info,-i=display disassembly information -quick,-q=quick scan -more,-m=enable "More" prompt -mutant,-y=enable fuzzy search -direct,-d=direct calls into DOS/BIOS -analyze, -a=force analyze/all files -extract, +a=extract signature -valid,-u=force authorization -once,-o=only once a day -compat,-c=maximum-compatibility mode -nosnow,-t=avoid snow on CGA monitors -noboot,-s=skip bootsector -sector,+s=scan all disk sectors -nomem,-r=don't scan memory -allmem,+r=scan for all viruses in memory -hma,+e=scan HMA too -nohmem,-e=don't scan UMB/HMA -nosub,-n=don't scan in sub directories -sub,+n=process sub directories -noavr,-j=do not search for AVR modules -del[ete] -z=delete infected files -batch,-b=don't ask keyboard input -repeat,-x=scan multiple diskettes -loginfo, -w=log files with a lowercase warning too -logall,+w=log all files unconditionally -log[<filename>],+l [<filename>]=append to log file -session[<filename>],-l [<filename>]=create session log file -data<filename>-f <filename>=data file to be used -ren[ame] [<ext mask>],+z [<ext mask>]=rename infected files -info If you are an experienced user we recommend you to use this option. If you do so, TbScan will display the most important warnings with the complete pathname of the concerned file in the upper window. -quick This option enables you to quickly scan the system. It is recommended to invoke TbScan once a day without this option because this option does not offer you the highest security. .OVL files and .SYS files are skipped entirely since it is not likely that these files are infected, memory scan is skipped, the scan frame is reduced to 2Kb instead of 4Kb, and TbScan does not fall back to the analyze routine as often as usual. However, TbScan still detects 95% of the viruses if this option is specified. -more When you enter the parameter -more TbScan will stop after it has checked the contents of one display. -mutant If you use the -mutant option TbScan does not restrict itself to the wildcard specification, but allows up to two extra changes anywhere in the signature. False alarms may occur. Therefore this option is not recommended to be used in a normal scan session. However, you can use this option if you expect the system is infected but TbScan does not detect a virus. If you scan again and specify the -mutant option, and TbScan now reports many files to be "possibly infected" with one virus, it might be possible that the files are infected by an unknown variant of the virus. -direct If you specify this option TbScan tries to determine the address of the harddisk BIOS and the DOS kernel and uses that to communicate directly with the system. Many stealth type viruses will be bypassed by this. Note that also resident software (like networks) will be bypassed and it depends on the system whether this option can be used or not. -analyze Normally TbScan only uses the analysis method when the program to be checked is too complicated for the builtin interpreter.But through option -analyze you can force TbScan to use the analysis or browse method allways. Keep in mind though that the program will perform more slowly and that false alarms may occur. Therefore it is recommended to refrain from this option while performing a normal scan session. Since this option also disables the internal disassembler of TbScan, most warning marks will not occur, and the AVR modules will not be executed. If you use the -analyze option in combination with an explicite filename specification, TbScan scans ALL matching files for ALL signatures. Needless to say that this combination is NOT recommended due to its low performance and exessive amount of false alarms.It is only provided to gain some compatibility with other scanners. -extract This option is available for registered users only. See chapter "defining a signature" of the user manual for usage of this option. -valid TbScan checks the signature file for modifications.If you change the contents of that file TbScan will issue a warning.If you don't want the warning to be displayed, use the -valid option. -once If you specify this option TbScan "remembers" that is has been used that day, and it will not run anymore a next time on that day if you specify this option again. This option is very powerfull if you use it in your autoexec.bat file in combination with a list file like:TbScan @everyday.lst -once -rename -compat If you specify this option, TbScan tries to behave somewhat more compatible. Use this option if the program does not behave as expected or hangs the machine. This option will slow down the scan process so it should only be used when necessary. Note that the -compat option does not affect the results of a scan. -nosnow If you use TbScan on a machine with a CGA video system TbScan can cause "snow" on the screen. Option -nosnow can be used to eliminate the snow. -noboot If you specify this option TbScan will not scan the bootsector. -sector This option is experimental.This option enables the feature to scan a disk at sector level.This way you can trace viruses that reside outside the files and bootsector and difficult stealth viruses. This option might also tell you that a virus ever resided on the machine in the past.If this option detects a signature it does not mean that the virus should be still active. Even if TbScan deleted the virus this option is still able to detect the signature for a while.This option is absolutely NOT recommended for a normal search. Note that TbScan is not able to detect suspicious facts anymore; it can not disassemble files with this mode. False alarms may occur frequently since everything is being searched for, and search is even performed in unused disk space containing garbage. -nomem If you specify this option TbScan will not scan the memory of the PC for viruses. -allmem If you specify this option TbScan will search for all viruses of the signature file in the memory of your PC, regardless of the virus type. This option is not recommended since the signature of most viruses changes when the virus is resident in memory and the virus will not be found by the file type signature. It may cause a lot of false alarms and does not detect more viruses. It is provided to maintain some compatibility with other scanners. -hma Use this option if TbScan does not recognize your HMA driver. -nohmem Use this option if you don't want TbScan to scan upper memory. -nosub TbScan will default search in subdirectories for executable files, except when a filename (or wildcards) are specified.If you use this option TbScan will never search in subdirectories. -sub If you use this option TbScan will always search in subdirectories, even when you specify a filename or wildcards.Only subdirectories matching the filename mask will be scanned too. -noavr If you specify this option TbScan will not search for AVR modules (Algorithmic Virus Recognition modules; .AVR files) at startup and will not perform any algorithmic searches. -delete or -del If TbScan detects a virus in a file it prompts the user to delete or rename the infected file, or to continue.If you specify the -delete option, TbScan will not ask the user what to do but it just deletes the infected file.Use this option only if you already found out that your system is infected, and if you have a trusted backup, and want to get rid of all infected files at once. -batch If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue. If you specify the -batch option TbScan will always continue. This option is intended to be used in a batch file that would be executed unattended. It is highly recommended to use a log file in this situation. -repeat The option is very powerfull if you want to check a large amount of diskettes. TbScan does not return to DOS after checking a disk, but it waits until you insert another disk in the drive. -log When you use this parameter, TbScan creates a LOG-file.The default filename is TBSCAN.LOG and it will be created in the current directory.You may optionally specify a path and filename. If the log file already exists the information will not be overwritten but instead appended to the file. If you use this option often it is recommended to delete or truncate the log file every month to avoid unlimited growth. -session This option is the same as the -log option, except that if there already exists a log file the log information will be overwritten instead of appended. A log file created by the -session option only contains information of a single scanning session. -loginfo If you use a log file and wants to log files with lowercase (informative) warnings too you should specify this option. -logall If you use a log file and wants to get all files listed in the log file unconditionally you can use this option. -data You can override the default path en name of the signature file to be used by specifying this option. -rename or -ren If TbScan detects a file virus it prompts the user to delete or rename the infected file, or to continue.If you specify the -rename option, TbScan will not ask the user what to do but it just renames the infected file. By default, the first character of the file's extension will be replace by the character "V". You can also add a parameter to this option specifying the target extension.The parameter should always contain 3 characters, question marks are allowed.The default target extension is "V??". The warning marks. 'R'Suspicious relocator. The character 'R' warns for a suspicious relocator. A relocator is a sequence of instructions that change the proportion of CS:IP. It is often used by viruses, especially COM type infectors. Those viruses have to relocate the CS:IP proportion because they are compiled for a specific location in the executable file, and a virus that infects another program can almost never use its original location in the file (it is appended to the file). Normal programs "know" their location in the executable file, so they don't have to relocate themselves. On normal systems only a few percent of the programs should cause this warning to be displayed. Tests on a large collection of viruses shows that TbScan issues this warning for about 65% of all viruses. TbScan uses the "analyze" or "browse" algorithm on programs which contain a suspicious relocator. 'T'Invalid timestamp. The timestamp of the program is invalid. The seconds of the timestamp are illegal, or the date is illegal or later than the year 2000. This is suspicious because many viruses set the timestamp to an illegal value (like 62 seconds) to mark that they already infected the file, preventing themselves to infect a file for a second time. '!'Branch out of code. The program has an entry point that is located outside the file's body, or a chain of "jumps" traced to a location outside the program file. The program being checked is probably damaged, and can not be executed. '#'Decryptor code found. The file possibly contains a self-decryption routine. Some copy-protected software is encrypted so this warning may appear for some of your files. But if this warning appears a lot, or in combination with by example the T-warning, there could be a virus involved! Many viruses encrypt themself and cause this warning to be displayed. 'D'Direct disk access. This warning is displayed if the program being processed has instructions near the entry-point to write to a disk directly. It is normal that some disk related utilities cause this warning to be displayed (like Undelete.Exe). As usual, if many of your files (which have nothing to do with the disk) cause this warning to be displayed your system might be infected by an unknown virus. 'N'Wrong name extension. Name conflict. The program carries the extension .EXE but appears to be a .COM file, or it has the extension .COM but the internal layout of an .EXE file. TbScan scans the file for both EXE and COM type signatures. 'M'Memory resident code. TbScan has found instruction sequences which could make the program to remain resident in memory or to hook into important interrupts. Almost all TSR (Terminate and Stay Resident) programs will trigger this warning, because hooking into interrupts or remaining resident belong to their normal behaviour. However if a lot of normal programs (not intended to be a TSR) have this warning mark it is suspicious. It is possible that the files are infected by a virus that remains resident in memory. Note that this warning does not appear for all TSR-programs, nor does it always mean that when this warning appears the program is a TSR program. 'F'Suspicious file access. TbScan has found instruction sequences common to infection schemes used by viruses. This warning will appear for a few programs that are able to create or modify existing files. However, if this warning appears a lot, the files might be infected, especially if the warning is accompanied by other serious warnings. '?'Inconsistent header. The program being processed has an exe-header that does not reflect the actual program layout. Many viruses do not update the exe-header of an EXE file correctly after they have infected the file, so if this warning appears a lot it seems you have a problem. You should ignore this warning for the DOS SORT.EXE program. 'E'Read or open error. The file could not be opened or read. This can be the result of an error on the disk(ette), but the file could also be in use by another task or network user. The file has not been scanned. 'J'Multiple jumps. The program did not start at the program entry point, but the code has jumped at least two times before reaching the final startup code. This is rather strange for normal programs. If many files cause this warning to be displayed you should investigate your system thorougly. 'p'Packed or compressed file. The program is packed or compressed. This warning is quiet normal. Consult the manual for more information. 'w'Windows or OS/2 header. The program can be or is intended to be used with Windows (or OS/2). 'h'Hidden or System file. The file has the "Hidden" or the "System" file attribute set. 'i'Internal overlay. The program being processed has additional data or code behind the load-module as specified in the exe-header of the file. The program might have internal overlay(s) or configuration information appended behind the load-module of the EXE file. 's'Unusual stack. The EXE file being processed has an odd (instead of even) stack offset or no stack at all.